BILL NUMBER: S8169
SPONSOR: BYNOE
 
TITLE OF BILL:
An act to amend the state technology law, in relation to prompt notifi-
cation to affected individuals in the event of a data breach within
certain state entities
 
PURPOSE:
Relates to the prompt notification to affected individuals in the event
of a data breach within certain state entities.
 
SUMMARY OF PROVISIONS:
Section 1. Paragraphs (b) and (c) of subdivision 1 of section 208 of 2
the state technology law are amended to provide that a breach of a secu-
rity system shall also include the unauthorized utilization of computer-
ized data by either person or entity without proper authorization,
repeals subsection (2) of subsection (c), and provides that such review
of unauthorized utilization shall include the occurrence of a cyberse-
curity incident, as defined by new paragraph (e).
Section 2. Amends subdivision 2 of section 208 of the state technology
law, as amended by chapter 117 of the laws of 2019, to provide that any
state entity that owns, licenses, or maintains computerized data that
includes personal information shall be included in the requirements of
this new section when private information is believed to have been
accessed or acquired by a person or entity without valid authorization.
Section 3. Amends subdivision 3 of section 208 of the state technology
law, as 6 amended by chapter 117 of the laws of 2019 to provide that
such provision will apply to any person or entity without valid authori-
zation.
Section 4. Effective Date.
 
JUSTIFICATION:
Between September and December of 2021, Nassau County suffered a signif-
icant internal data breach that compromised the confidential records of
past, current, and prospective employees, including their medical histo-
ry and social security numbers. The affected individuals were not noti-
fied until February of 2022. This incident revealed the larger gap in
current data breach disclosure requirements which effectively exempt
local municipalities from having to notify affected individuals when
their personal information is compromised.
This bill amends the current law to extend existing notification
requirements in the event of a data break to local municipalities, who
are just as susceptible to these types of vulnerabilities and who are
often charged with managing highly sensitive, confidential information
for thousands of individuals. This bill further amends the law to better
address the full scope of threats that state entities may face, whether
from individuals or otherwise, and takes steps to address instances
where confidential information may still have been mishandled or compro-
mised even if improper disclosure had not occurred. With proper notifi-
cation, pursuant to the law, individuals will also receive information
on resources for dealing with data breaches and identity theft
prevention. With these adjustments, individuals will be made more fully
aware of when their data may be compromised and given greater opportu-
nity to take corrective action. At a time when cyberthreats are on the
rise, particularly among local governments, this legislation will better
protect those who rely on secure systems to keep their information safe.
 
PRIOR LEGISLATIVE HISTORY:
New bill.
 
FISCAL IMPLICATIONS:
To be determined.
 
EFFECTIVE DATE:
90 days after it shall have become a law.

Statutes affected:
S8169: 208 state technology law, 208(2) state technology law, 208(3) state technology law